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DETAILED ACTION 

1 . This action is responsive to communications: application, filed 2/5/2004; 
amendment filed 12/3/2007. 

2. Claims 1- 22 and 24 are pending in the case. 

3. Claim 23 was cancelled by the applicant. 

Response to Arguments 

4. Applicant argues the combination of Minear and Low does not make claims 1 to 
8 and 11 to 23 obvious. Specifically, and with regards to claim 1 , applicant argues: 

"Admittedly, Low discloses multiple processors with each processor dedicated to perform a 
specific function, e.g., classification, cipher processing, and combining packets; the Low 
reference, however, Low does not teach or suggest a processor that performs both 
cryptographic encryption and decryption . 5 In fact, nowhere does LOW teach or suggest 
having two crypto systems with each dedicated to operate cryptographic encryption and 
decryption on a different format kind of message." However, as mentioned above, Low's 
multiple processors perform cipher processing. Cipher processing generally includes 
encryption and decryption. It is also specifically mentioned in Low that cipher processing 
involves encryption and decryption (see for example col. 6 lines 36 to 51 and col. 7 line 
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26 to 35). Also as admitted above, Low teaches multiple processor performing different 
functionalities, and therefore teach two or more crypto systems. Applicant further 
continues: "This is because having two crypto systems for performing cryptographic functions 
would be contrary to the object of Low, which is to "provide a flexible processor architecture for 
supporting encryption and other processing of data within a data stream". However, it is not 
clear, and the applicant does not explain why having two crypto systems would be 
contrary to having a flexible processor architecture for supporting encryption and 
decryption. 

Applicant's argues that claims 12 and 2-11 13-21 and 24 are allowable because they 
include the same limitations as claim 1 . However, as discussed above, applicant's 
argument relative to allowability of claim 1 is found non persuasive. Accordingly, 
applicant's argument relative to allowability of claims 12 and 2-1 1 13-21 and 24 is also 
found non persuasive. 

With respect to claim 1 1 , applicant further argues: "Specifically, the Examiner asserts that 
"As packets traverse through different layers of the IP communication model (i.e. physical, data 
link, network layers), each layer adds and strips the header associated with that layer." With all 
due respect, the well-known encapsulation processes performed on IP packets, however, do not 
replace the headers with a cryptographic header and then process the message using the 
cryptographic header ." However, applicant's argument in their previous response was 
that IPSEC encapsulates the packets with a header, but it does not remove the header. 
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Examiner cited the IP communication model to show that the packet header removal is 
part of standard operation in IP model. The replacement of packet header with a 
cryptographic header is shown by IPSEC model, which does replace the packet 
header with a cryptographic header. In addition, Fig. 4 does disclose the mentioned 
claim requirements because Low teaches that packets are received from a client via 
network. Therefore, Low teaches removal and insertion of headers to packets 
associated with a network interface. 

Applicant's argument relative to claim 22 is based on allowability of claim 1 1 , however, 
as discussed above, applicant's argument relative to claim 1 1 is found non persuasive. 

The grounds of rejection is maintained, and detailed as follows. Note that applicant has 
brought a portion of limitations of claim 1 8 to claim 1 2, and also cancelled claim 23, and 
brought the associated limitations into claim 22. 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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6. Claims 1 to 8 and 1 1 to 22 rejected under 35 U.S.C. 103(a) as being 
unpatentable over Minear (US Patent No. 5,983,350, dated 1 1/9/1999), and further in 
view of Low (US Patent No. 6,959,346, filed 12/22/2000). 

6.1 . As per claim 1 , Minear is directed to a network encryption system (Fig. 1 items 
14 and 18 and associated text, e.g. column 3 line 60 to 65), comprising: a first network 
interface, adapted for connection to a protected network; a second network interface, 
adapted for connection to an unprotected network Fig. 1 , where the Internet is the 
unprotected network and the workstations are protected networks, as described in 
column 3line 50 to 56 and also claim 6); a processing part, which manages the 
encryption of information payload to be sent to the unprotected network, and decryption 
of information payload which are received from the unprotected network Fig. 2 item 50 
and column 5 line 65 to column 6 line 20), and said processing part includes a 
microprocessor therein (column 5 line 65 to 67 describes that the proxy processes 
messages, therefore it has a processor and microprocessors are commonly used to 
process information); and an encryption and decryption system, including a first high- 
speed crypto system which operates using dedicated hardware components for 
cryptographic encryption and decryption of a first format kind of message, a second 
high-speed crypto system physically separate from said first high-speed crypto system 
using dedicated hardware components for cryptographic encryption and decryption of a 
second format kind of message different than said first format kind of message, and a 
second, lower speed crypto system, which carries out said cryptographic operations 
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without dedicated hardware components. Fig 4 items 82 and 84 and column 1 1 lines 53 
to 63 teach a first high-speed crypto system which operates using dedicated hardware 
components for cryptographic encryption and decryption, and the second lower speed 
crypto system which carries out said cryptographic operations without dedicated 
hardware. Although Minear teaches a cryptographic system to encrypt and decrypt 
using dedicated hardware, it does not specifically teach the use of two physically 
separate high-speed crypto systems, to process messages with two different formats. 

Low's Fig. 4 and 5 and their associated text teach a system including multiple 
processors, and buffers, where each packet will have a header inserted, which identifies 
which processor the packet should be sent for processing. The decision is based on the 
information inside the packet. Therefore, Low teaches a first high-speed crypto system 
which operates using dedicated hardware components for cryptographic encryption and 
decryption of a first format kind of message, a second high-speed crypto system 
physically separate from said first high-speed crypto system using dedicated hardware 
components for cryptographic encryption and decryption of a second format kind of 
message different than said first format kind of message. 

Low and Minear are analogous art as they are both directed to a network system 
security using cryptographic techniques. 
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At the time of invention, it would have been obvious to the one skilled in art, to enhance 
Minear's system to include multiple processors, each capable of processing different 
cryptographic processes. The motivation to do so would have been to increase the 
system flexibility in accommodating different types of encryption protocols, as 
suggested by Low's col. 3 lines15-57. 

6.2. As per claim 2, Minear in view of Low is directed to a system as in claim 1 , 
wherein said first high-speed crypto system uses field programmable gate arrays which 
are configured to carry out a specific encryption or decryption operation (field 
programmable gate arrays (FPGA) are commonly used to develop hardware modules, 
as per their definition in "Microsoft Computer Dictionary, ISBN: 0-7356-1495-4, 
copyright 2002". Also note that use of FPGAs to carryout specific encryption or 
decryption operations was well known in the art. For example see claim 34 of US Patent 
No. 6'907'126, to Inada, filed April 18, 2001, or Col. 19, lines 22-42 of US Patent No. 
7'106'860, to Yu, filed Feb. 6, 2002). 

6.3. As per claim 3, Minear in view of Low is directed to a system as in claim 1 , 
wherein said first low-speed crypto system includes a first portion using a cryptographic 
processor, and a second crypto portion using software running on a general-purpose 
processor (Minear column 1 1 line 54 to 58 describes an interface between the software 
and Hardware module, which allows the software module to use the Hardware module). 
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6.4. As per claim 4, Minear in view of Low is directed to a system as in claim 1 , 
further comprising a key management subsystem (Minear column 5 line 63 to 64), 
physically separate from said processing part (Minear col. 5 lines 47-64 teaches 
establishment of a security association between Minear's systems based on IPSEC. 
Establishing security association requires a database to store keys. It is also noted that 
keys for communication must be stored in communicating parties, which are separate. 
Also, the parties exchange key data and other security association related data using a 
network management protocol. In addition, development of security systems based on a 
distributed system architecture was well known in the art) and connected to said 
processing part via a network interface and communicating using a network 
management protocol, said key management subsystem storing encrypted software 
keys therein (column 7 line 22 to 37. Note that private keys are protected from public 
access.). 

6.5. As per claim 5, Minear in view of Low is directed to a system as in claim 4, 
wherein said key management subsystem and said processing part communicate via 
Simple Network Management Protocol (SNMP is commonly used to manage the 
communication between Hardware and Software modules, as per their definition in 
"Microsoft Computer Dictionary, ISBN: 0-7356-1495-4, copyright 2002". SNMPV3 is just 
a version of SNMP). 
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6.6. As per claim 6, Minear in view of Low is directed to a system as in claim 4, 
wherein said key management subsystem stores at least one private key by encrypting 
said keys using a password for the encryption (per Minear column 7 line 34 to 36, 
access to keys are allowed for administrators and key management daemons only. 
Administrators authenticate themselves using passwords. Therefore, their password is 
part of the encryption process). 

6.7. As per claim 7, Minear in view of Low is directed to a system as in claim 4, 
wherein said key management system maintains addresses of other key management 
systems (Minear uses IPSEC to setup secure connection between firewalls. As 
described in column 4 line 7 to 43, the keys used in encryption/decryption process are 
identified in Security Associations. The Security Associations are identified by 
destination address. The other key management system is at the destination. Therefore, 
the address of the other key management system is maintained.). 

6.8. As per claim 8, Minear in view of Low is directed to a system as in claim 1 , 
wherein said first high-speed crypto system includes at least one card (Minear column 
12 line 23 to 26). 

6.9. As per claim 1 1 , Minear in view of Low is directed to a system as in claim 1 , 
wherein said encryption and decryption system includes a portion which removes a 
header associated with the network interface, replaces said header with a cryptographic 
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header, processes said message using the cryptographic header, and then generates a 
new header associated with the network interface (as described in column 3 line 57 to 
column 4 line 28, Minear uses IPSEC protocol which includes the authentication header 
(AH) and encapsulated payload (ESP) methods. AH and ESP remove and replace the 
packet header with a protocol header at the sending side, process the packet using the 
protocol headers, and strip the protocol header and rebuild the original header at the 
destination side. For more information on AH and ESP, see IETF RFC 1825 to 1829. 
Also, Low Fig. 4 and 5 and associated text teaches adding and removing headers to 
identify the processor that processes the packet). 

6.10. Claims 12 to 21 are substantially the same as claims 1 to 11. 

6.11. As per claim 22, Minear in view of Low is directed to a method comprising: 
connecting to a first network which is a protected network and a second network which 
is an unprotected network; encrypting data being sent from said first network to said 
second network, and decrypting data being sent from said second network to said first 
network (see response to claim 1 ); and storing and managing at least one signing key in 
a separate unit from the unit carrying out the encrypting, and communicating with said 
separate unit, over a separate network from said first and second network (Minear 
column 10 line 30 to 52 describes Network separation to protect the network from being 
attacked by an attacker who has obtained the control of one network node. Protocol 
data, which includes keys, are transferred between separate elements, each of which is 
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responsible for a particular functionality. The network separation ensures protection of 
data (e.g. keys) within one element from other elements); wherein said encrypting 
comprises removing a header associated with a network protocol of said second 
network; obtaining key information from said separate unit, and forming an encryption 
header based on said key information and associating said encryption header with a 
message fragment; encrypting the message fragment, using said encryption header; 
and regenerating the header associated with the network protocol (see the response to 
claim 11). 

6.12. Claim 23 cancelled by the applicant. 

7. Claims 9, and 24 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Minear and Low as applied to claims 1 to 8, and 11 to 23 above, and further in 
view of Gai (US Patent Application Publication No. 2004/0160903 A1 , dated 8/19/2004). 

7.1 . As per claim 9, Minear in view of Low is directed to a system as in claim 8. 
Minear teaches a system for encryption of packets in a packet switched data network by 
describing the system using IPSEC as an example. Although Minear's system is not 
limited to IPSEC or Internet protocol and does work with other packet switching 
protocols, the disclosure does not specifically mention application of the system in ATM 
or SONET. 
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Gai is directed to a network security system which facilitates the process of packet 
encryption (paragraph 42) by applying security tags. Gai's disclosure specifically 
includes application of his method to ATM and SONET networks (paragraphs 102 and 
103), as it teaches encryption/decryption performed in any network element that 
handles packet forwarding. 

Minear, Low and Gai are analogous art as they are both directed network security and 
packet encryption/decryption. 

At the time of the invention, it would have been obvious to a person skilled in art to 
include the idea of packet encryption/decryption of ATM and SONET packets as taught 
by Gai, in the security system of Minear in view of Low, to control the flow of messages. 

The motivation to do so would have been to expand the applicability of Minear's 
message flow control system to include ATM and SONET systems. 

Furthermore, if the network includes ATM and SONET packets, it would have been 
obvious to a person skilled in the art to use a separate card for each packet type 
(SONET or ATM) to process the encryption/decryption of packets for each packet type. 

Gai also teaches use of his method in Ethernet and Fiber Channel networks (paragraph 
98 to 100). Therefore, it teaches application of its systems in all layer 1 , 2, and 3 
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protocols (paragraph 39), including Ethernet and Frame Relay (packet switching 
protocols in layers 1 and 2. Note also that, as mentioned in section titled Response to 
Arguments, use of specialized cards to perform cryptographic processings for different 
applications was well known in the art). 

7.2. As per claim 24, Minear, Low and Gai are directed to a system as in claim 1 , 
wherein at least one of said network interfaces is an Ethernet network (see the 
response to claims 1 and 9). 

8. Claim 10 is rejected under 35 U.S.C. 103(a) as being unpatentable over Minear 
and Low as applied to claim 4 above, and further in view of King (US Patent Application 
Publication No. 6,426,706, filed 11/19/1998). 

8.1. As per claim 10, Minear in view of Low is directed to a system as in claim 4. 
Minear in view of Low does not specifically teach a security interlock on said key 
management subsystem, and a memory erase function which erases said memory 
when said security interlock is violated. 

King is directed to a security interlock (column 3 line 54 to 59), which detects tampering. 
King also teaches a memory erasure function that erases memory upon receiving a 
violation warning (column 3 line 65 to column 4 line 5). 
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King, and Minear in view of Low are analogous art as they are both directed to security 
systems. At the time of invention, it would have been obvious to a person skilled in art to 
combine the tamper resistant feature described by King with the system of Minear in 
view of Low. 

The motivation to do so would have been to protect the keys and other important data 
from disclosure in the case of a tampering attack. 

Conclusion 

9. THIS ACTION IS MADE FINAL, as no new ground of rejection is included. See 
MPEP § 7.39. Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 
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1 0. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Farid Homayounmehr whose telephone number is (571 ) 
272-3739. The examiner can be normally reached on 9 hrs Mon-Fri, off Monday 
biweekly. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 

Farid Homayounmehr 
2/21/2008 

/Kristine Kincaid/ 

Supervisory Patent Examiner, Art Unit 2139 
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